Menu

Setting up NameCheap (Comodo PositiveSSL) Certificate in Nginx with Docker

22 September 2015

There are two main steps to setting up SSL in Nginx with Docker:

1) Getting and setting up your certificate on nginx in general

2) Deploying your files and key to the relevant container

General Setup

For this writeup, I'm using docker-compose to manage a Docker deployment with a separate web and nginx container. For this one, the web container is running gunicorn on port 8000 while the nginx container is listening on 80 and 443.

For #1, this link was super helpful with information about what filesd NameCheap provides you. They ultimately send you multiple files that you need to combine into a cert bundle.

Make sure that you have generated the proper CSR and submitted it to NameCheap. Once they verify the request and issue you the certificate, they'll email you 4 files in a zip. It should look something like the below after you extract it:

You can choose whatever filename you want, but make sure it has the *.cer file extension.

Now move this .cer file to the same location that your original key is located. It's probably named something like yourdomain_com.key or something similar. Ultimately it just makes it easier to copy them over to your server or Docker setup.

Basic SSL setup on nginx

Ultimately, the nginx conf file will point to local copies of the cer and key file from above. We're talking about Docker containers, but it'd be the same for a VPS on something like AWS or digitalocean.

To configure Nginx to use the certs, they need to be somewhere on the host box. A common practice is to put the public cert in the /etc/ssl/certs directory and the private in /etc/ssl/private

You can put them anywhere, so long as you keep it straight. The benefit of the setup above is that you can set the permissions to 0755 for the private folder and 0700 for the public. For both of them, the owner/group is root:root.

This will be the structure I'll be using within the nginx container.

Putting it all together in your Dockerfile

Your Dockerfile is going to copy over the certs and keys to the directory structure discussed above on the nginx container.

Then, it will copy over a conf file for Nginx that references the certs. That's it.

Copy Certs in Dockerfile

The relevant line in your Nginx Dockerfile is

ADD ./ssl /etc/ssl

This copies the contents of the local ssl directory to the host /etc/ssl directory. In this instance, it's to the Nginx container.

Finishing Up

That's it. Now run the usual commands to get up and running

docker-compose build
docker-compose up

You should now be able to access your site via http or https. If you want to only serve traffic using SSL, you'll need to alter the server block listening on port 80 above in the nginx conf above to rewrite or redirect all requests to https.